Bug 5238 - smbcacls ACLs ordering problem
smbcacls ACLs ordering problem
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools
3.0.28
Other Windows NT
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-01 19:14 UTC by smiff
Modified: 2008-02-12 07:23 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description smiff 2008-02-01 19:14:14 UTC
This is the version of smbcacls;

[root@localhost ~]# smbcacls -V
Version 3.0.28-0.fc7

This is the version of the operating system;

[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 i686 i386 GNU/Linux


Start with a directory with no ACLs;

[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x
REVISION:1
OWNER:Windows-PC\mygoodself
GROUP:Windows-PC\None

Apply a list of ACLs to directory using smbcacls;

[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:Windows-PC\seconduser:ALLOWED/3/READ"
[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:Windows-PC\mygoodself:ALLOWED/19/FULL"
[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE"
[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL"
[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:BUILTIN\Administrators:ALLOWED/19/FULL"
[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x -a "ACL:BUILTIN\Users:ALLOWED/19/READ"

But the list is not in the order applied;

[root@localhost ~]# smbcacls //192.168.1.65/'area 3' 'test/new' -U mygoodself%x
REVISION:1
OWNER:Windows-PC\mygoodself
GROUP:Windows-PC\None
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE
ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL
ACL:BUILTIN\Administrators:ALLOWED/19/FULL
ACL:BUILTIN\Users:ALLOWED/19/READ
ACL:Windows-PC\mygoodself:ALLOWED/19/FULL
ACL:Windows-PC\seconduser:ALLOWED/3/READ

In windows when right clicking on the direcotry 'new' and going to properties, then the security tab, the following message is displayed;

"The permissions on 'new' are incorrectly ordered, which may cause some enteries to be ineffective"
Comment 1 smiff 2008-02-11 06:23:24 UTC
The problem is the same when adding multiple ACLs on one line.

[root ~]# smbcacls //192.168.1.64/'area 3' 'test/new' -a 'ACL:Windows-PC\seconduser:ALLOWED/3/READ,ACL:Windows-PC\mygoodself:ALLOWED/19/FULL,ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE,ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL,ACL:BUILTIN\Administrators:ALLOWED/19/FULL,ACL:BUILTIN\Administrators:ALLOWED/19/FULL' -Umygoodself%x

[root ~]# smbcacls //192.168.1.64/'area 3' 'test/new' -Umygoodself%x
REVISION:1
OWNER:Windows-PC\mygoodself
GROUP:Windows-PC\None
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/19/CHANGE
ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL
ACL:BUILTIN\Administrators:ALLOWED/19/FULL
ACL:Windows-PC\mygoodself:ALLOWED/19/FULL
ACL:Windows-PC\seconduser:ALLOWED/3/READ
Comment 2 smiff 2008-02-12 05:45:00 UTC
I don't want to make changes directly to samba, as i don't want millions of people to blame me ... however, after looking at this microsoft specification

http://msdn2.microsoft.com/en-us/library/aa379298(VS.85).aspx

I think the ace_compare function in smbcacls.c should be coded like this;

static int ace_compare(SEC_ACE *ace1, SEC_ACE *ace2)
{
        if (sec_ace_equal(ace1, ace2))
                return 0;

        if (ace1->flags != ace2->flags)
                return ace1->flags - ace2->flags;

        if (ace1->type != ace2->type)
                return ace2->type - ace1->type;

        if (sid_compare(&ace1->trustee, &ace2->trustee))
                return sid_compare(&ace1->trustee, &ace2->trustee);

        if (ace1->access_mask != ace2->access_mask)
                return ace1->access_mask - ace2->access_mask;

        if (ace1->size != ace2->size)
                return ace1->size - ace2->size;

        return memcmp(ace1, ace2, sizeof(SEC_ACE));
}
Comment 3 Derrell Lipman 2008-02-12 07:10:04 UTC
I don't think it's quite that simple.  I've already been through this with libsmbclient.  I _believe_ that the ace_compare() function in source/libsmb/libsmbclient.c now does this properly so could probably be used as a model.

Derrell
Comment 4 smiff 2008-02-12 07:23:46 UTC
ok thx, i'll copy and paste that directly into smbcacls.c and compile it - we are gonna do some testing so i will let you know (on this webpage) if it works ok or not.